NPF documentation
Mindaugas Rasiukevicius has worked on
NetBSD's new packet filter "npf" for quite some time now.
In order to make things easier for new users, he now has
also put up documentation for it.

Introducing NPF in NetBSD 6.0
NetBSD's development version had npf as another packet filter
available for quite some time. With the release of NetBSD
6.0, this is now available more widely, and
npf author Mindaugas Rasiukevicius has
pointed out
that there are two PDFs available that explain more
about NPF:

Introducing NPF, NetBSD's new packet filter (Updated)
Following the recent
call for funded projects,
a from-scratch implementation of NPF, a new packet filter
developed by Mindaugas Rasiukevicius (rmind@) was now announced:
``NPF is designed for high performance on
multiprocessor machines, and for easy extensibility.

Highlights of NPF features include

MP-safety and locklessness for scalable MP performance: no longer is
the packet filter the bottleneck in your multicore router

The N-Code processor, a packet-inspection engine inspired by BPF:
the N-Code processor is programmed to match packets using generic,
RISC-like instructions and a few CISC-like instructions for common
patterns such as IPv4 addresses

Familiar configuration syntax and utilities

Modularity and extensibility: users extend NPF by loading a kernel
module. NPF provides developers with an extensions API. NPF rules
can embed a hook that invokes an extension

By the end of January, NPF should have all of the capabilities that
NetBSD users have come to expect by using the other filters in the
kernel:

IPv4 reassembly support

Bi-directional NAT and port forwarding (re-direction)

FTP proxy support

IP header flags cleansing

ICMP packets and TCP RST packet blocking

Save/restore state

Packet logging, configurable using filter rules

Rasiukevicius will also write documentation and configuration examples.

Beyond that, NPF needs code for IPv6 support. Rasiukevicius agrees to
provide technical support to developers who will add IPv6 support to
NPF. An outline of the steps to IPv6 support will be forthcoming.

NPF is the third packet filter in NetBSD, after IP Filter and PF. NPF
is unique for using a bytecode interpreter in its packet-inspection
engine, and for answering the question, "What does a packet filter
designed from the bottom up for multiprocessor systems look like?"

NPF development is sponsored by the NetBSD Foundation.''

Good! If anyone feels bored / brave, things that I'd love to see
added include IPv6 support and support for AltQ,
(Net)BSD's implementation of alternate network queuing,
i.e. QoS / CoS.